IntenseFinance/neovim
3
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-02-25 18:55:25 -06:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.2.1521: reading past end of buffer when reading spellfile

Browse Source 
Problem:    Reading past end of buffer when reading spellfile. (Yegappan
            Lakshmanan)
Solution:   Store the byte length and check for it.
07399e7f07
This commit is contained in:
Jan Edmund Lazo 2020-10-27 22:21:39 -04:00
parent cb6b5e5540
commit 5329cb2e5c
No known key found for this signature in database
GPG Key ID: 64915E6E9F735B15
2 changed files with 23 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/nvim/spell_defs.h
View File

@ -119,6 +119,7 @@ struct slang_S {
bool sl_add; // true if it's a .add file. bool sl_add; // true if it's a .add file.
char_u *sl_fbyts; // case-folded word bytes char_u *sl_fbyts; // case-folded word bytes
long sl_fbyts_len; // length of sl_fbyts
idx_T *sl_fidxs; // case-folded word indexes idx_T *sl_fidxs; // case-folded word indexes
char_u *sl_kbyts; // keep-case word bytes char_u *sl_kbyts; // keep-case word bytes
idx_T *sl_kidxs; // keep-case word indexes idx_T *sl_kidxs; // keep-case word indexes

31
src/nvim/spellfile.c
View File

@ -764,20 +764,24 @@ truncerr:
} }
// <LWORDTREE> // <LWORDTREE>
res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fidxs, false, 0); res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fbyts_len,
if (res != 0) &lp->sl_fidxs, false, 0);
if (res != 0) {
goto someerror; goto someerror;
}
// <KWORDTREE> // <KWORDTREE>
res = spell_read_tree(fd, &lp->sl_kbyts, &lp->sl_kidxs, false, 0); res = spell_read_tree(fd, &lp->sl_kbyts, NULL, &lp->sl_kidxs, false, 0);
if (res != 0) if (res != 0) {
goto someerror; goto someerror;
}
// <PREFIXTREE> // <PREFIXTREE>
res = spell_read_tree(fd, &lp->sl_pbyts, &lp->sl_pidxs, true, res = spell_read_tree(fd, &lp->sl_pbyts, NULL, &lp->sl_pidxs, true,
lp->sl_prefixcnt); lp->sl_prefixcnt);
if (res != 0) if (res != 0) {
goto someerror; goto someerror;
}
// For a new file link it in the list of spell files. // For a new file link it in the list of spell files.
if (old_lp == NULL && lang != NULL) { if (old_lp == NULL && lang != NULL) {
@ -920,7 +924,7 @@ void suggest_load_files(void)
// <SUGWORDTREE>: <wordtree> // <SUGWORDTREE>: <wordtree>
// Read the trie with the soundfolded words. // Read the trie with the soundfolded words.
if (spell_read_tree(fd, &slang->sl_sbyts, &slang->sl_sidxs, if (spell_read_tree(fd, &slang->sl_sbyts, NULL, &slang->sl_sidxs,
false, 0) != 0) { false, 0) != 0) {
someerror: someerror:
EMSG2(_("E782: error while reading .sug file: %s"), EMSG2(_("E782: error while reading .sug file: %s"),
@ -1630,10 +1634,12 @@ static int
spell_read_tree ( spell_read_tree (
FILE *fd, FILE *fd,
char_u **bytsp, char_u **bytsp,
long *bytsp_len,
idx_T **idxsp, idx_T **idxsp,
bool prefixtree, // true for the prefix tree bool prefixtree, // true for the prefix tree
int prefixcnt // when "prefixtree" is true: prefix count int prefixcnt // when "prefixtree" is true: prefix count
) )
FUNC_ATTR_NONNULL_ARG(1, 2, 4)
{ {
int idx; int idx;
char_u *bp; char_u *bp;
@ -1653,6 +1659,9 @@ spell_read_tree (
// Allocate the byte array. // Allocate the byte array.
bp = xmalloc(len); bp = xmalloc(len);
*bytsp = bp; *bytsp = bp;
if (bytsp_len != NULL) {
*bytsp_len = len;
}
// Allocate the index array. // Allocate the index array.
ip = xcalloc(len, sizeof(*ip)); ip = xcalloc(len, sizeof(*ip));
@ -4850,10 +4859,10 @@ static int sug_filltree(spellinfo_T *spin, slang_T *slang)
spin->si_blocks_cnt = 0; spin->si_blocks_cnt = 0;
// Skip over any other NUL bytes (same word with different // Skip over any other NUL bytes (same word with different
// flags). // flags). But don't go over the end.
while (byts[n + 1] == 0) { while (n + 1 < slang->sl_fbyts_len && byts[n + 1] == 0) {
++n; n++;
++curi[depth]; curi[depth]++;
} }
} else { } else {
// Normal char, go one level deeper. // Normal char, go one level deeper.